Reconstructing a dead puppetmaster
17 views
Skip to first unread message
Mike
Jun 3, 2008, 5:11:02 PM6/3/08
to Puppet Users
Has anyone written up the steps required to rebuild a puppetmaster
when one has died, or more commonly when one wants to move it from one
hosting provider to another? (Assume it's a VPS so that I can't
physically move the server.)
My one requirement is that I not have to log into each client, clean
out the cert stuff, and then re-sign everyone's certificate. I think
the steps are something like this:
1. Set up the new server, install puppetmaster, unzip your /etc/puppet
backup and whatever templates/fileserver files you have. (I'm not
using storedconfig so this step is fairly stateless and simple for
me.)
2. ??? that causes clients to agree that the new puppetmaster is
genuine.
3. Update your puppetmaster's DNS entry to the new puppetmaster IP
address.
4. Wait one TTL, then when requests to the old puppetmaster have died
off, take it out back behind the barn and shoot it.
I would guess that #2 could be something like "unzip /var/lib/puppet/
ssl from the old puppetmaster to the new one," but I'd like something
more trustworthy than my own educated guess.
when one has died, or more commonly when one wants to move it from one
hosting provider to another? (Assume it's a VPS so that I can't
physically move the server.)
My one requirement is that I not have to log into each client, clean
out the cert stuff, and then re-sign everyone's certificate. I think
the steps are something like this:
1. Set up the new server, install puppetmaster, unzip your /etc/puppet
backup and whatever templates/fileserver files you have. (I'm not
using storedconfig so this step is fairly stateless and simple for
me.)
2. ??? that causes clients to agree that the new puppetmaster is
genuine.
3. Update your puppetmaster's DNS entry to the new puppetmaster IP
address.
4. Wait one TTL, then when requests to the old puppetmaster have died
off, take it out back behind the barn and shoot it.
I would guess that #2 could be something like "unzip /var/lib/puppet/
ssl from the old puppetmaster to the new one," but I'd like something
more trustworthy than my own educated guess.
Ohad Levy
Jun 4, 2008, 2:13:15 AM6/4/08
to puppet...@googlegroups.com
Hi,
The way I see it is that if you take care for the certificates, than all the other steps are real easy.
if you check the centralized puppet infrastructure page at http://reductivelabs.com/trac/puppet/wiki/PuppetScalability, you could design a puppet master who signs other puppetmasters certificate.
and than you could tell the clients to trust any puppet master which was signed by the root puppet master, making its unnecessary to sign all clients again.
in our environment we build puppet masters by another puppetmaster.... and then the only thing we need to change is the dns entry.
Cheers,
Ohad
The way I see it is that if you take care for the certificates, than all the other steps are real easy.
if you check the centralized puppet infrastructure page at http://reductivelabs.com/trac/puppet/wiki/PuppetScalability, you could design a puppet master who signs other puppetmasters certificate.
and than you could tell the clients to trust any puppet master which was signed by the root puppet master, making its unnecessary to sign all clients again.
in our environment we build puppet masters by another puppetmaster.... and then the only thing we need to change is the dns entry.
Cheers,
Ohad
Reply all
Reply to author
Forward
0 new messages